Intrusion prevention system edge controller

ABSTRACT

A system and method for extending the implementation of one or more Intrusion Prevention Systems (IPSs) such that each user can be placed in the IPS traffic path to create secure containment areas at a granular level, port types and port counts are increased, and higher network connection speeds are supported. In different embodiments of the invention, traffic load is balanced across two or more IPSs, enabling enhanced availability during system failures, replacements or updates. IPS performance is improved by enhancing traffic management of “trusted” (e.g., pass-through) and “known bad” (e.g., discarded) traffic flows and decreasing configuration task workloads. Other embodiments of the invention include, but are not limited to, extending the implementation of proxy devices, virtual private networks (VPNs), session border controllers (SBCs), firewalls, protocol gateways and other bump-in-the-wire systems.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates in general to the field of networksecurity and more specifically, to intrusion prevention systems.

2. Description of the Related Art

The use of networks has grown significantly over the last few years.Concurrently, the sophistication of internal and external networkattacks in the form of viruses, Trojan horses, worms and malware of allsorts has increased dramatically. Just as dramatic is the acceleratedincrease of network speeds and a corresponding drop in their cost,thereby driving their rapid adoption. These factors and others havenecessitated the development of innovative and more advanced networksecurity mechanisms.

For example, Intrusion Detection Systems (IDS) can often detect networkattacks, but as passive systems they generally offer little more thanafter-the-fact notification. In contrast, Intrusion Prevention Systems(IPS) have been developed to complement traditional security productssuch as firewalls by proactively analyzing network traffic flows andactive connections while scanning incoming and outgoing requests. Asnetwork traffic passes through the IPS, it is examined for maliciouspackets. If a potential threat is detected or traffic is identified asbeing associated with an unwanted application it is blocked, yetlegitimate traffic is passed through the system unimpeded.

Properly implemented, IPSs can be an effective network securitysafeguard. However, there is a current need for additional IPScapabilities, such as the ability to protect against attacks from peerssharing a common switch. Other needs include the ability to scaleexisting IPSs to accommodate higher network link speeds and balancetraffic loads across multiple IPSs. Similarly, there is a growing demandfor greater numbers of port types and port counts, as well as enhancedavailability during system failures, replacements or updates. Likewise,with the growing popularity of applications such as voice over IP(VoIP), there is a need for enhanced traffic management through portsegmentation and improved system performance through the use of“trusted” and “known bad” (e.g., discarded) traffic flows. In view ofthe foregoing, more flexible, scalable and manageable implementations ofIPS capabilities are needed.

SUMMARY OF THE INVENTION

In accordance with the present invention, a system and method isdisclosed for extending the implementation of one or more IntrusionPrevention Systems (IPSs) through integration with one or more IPS EdgeControllers such that each user can be placed in the IPS traffic path tocreate secure containment areas at a granular level, port types and portcounts are increased, higher network connection speeds are supported,traffic load is balanced across two or more IPSs, enhanced availabilityis enabled during system failures, replacements or updates, ports aresegmented for enhanced traffic management, performance is improvedthrough the use of “trusted” and “known bad” (i.e., discarded) trafficflows, and configuration task workloads are decreased.

Those of skill in the art will be aware that Intrusion PreventionSystems (IPSs) that perform network traffic security processing beforedata packets are processed by a host computer are generally referred toas “bump in the wire” (BITW) systems. In different embodiments of thepresent invention, an IPS Edge Controller is implemented with aBITW-based IPS, thereby allowing the IPS to be placed as a “bump intraffic path” (BITP) of each user. The IPS Edge Controller increases thenumber of IPS port types and port counts, thereby enabling various portspeeds and physical media interconnection types. The addition of suchswitch ports to an IPS allows higher speed (e.g., 10 Gbps Ethernet)network interfaces to be supported by load balancing traffic flowsacross two or more lower speed (e.g., 1 Gbps) IPSs. Similarly, theimplementation of multiple IPSs in conjunction with an IPS EdgeController can provide increased and enhanced availability during systemfailures, replacements, or updates. For example, if one IPS is lost orremoved from service, the IPS Edge Controller can redistribute thetraffic load to one or more other IPSs. If no operational IPS isavailable due to failure or removal from service, the IPS EdgeController can pass traffic directly from incoming side ‘A’ ports tooutgoing side ‘B’ ports.

Additionally, different embodiments of the invention can improve overallsystem performance through the management of traffic flows. As anexample, “trusted” flows can be configured among IPS Edge Controllerports to bypass the IPS, resulting in higher “trusted” flow performance.Likewise, “known bad” flows can be discarded by the IPS Edge Controllerports such that they never reach the IPS, thereby improving IPSperformance by freeing resources for improved processing of “unknown”traffic. Similarly, the IPS Edge Controller can be configured totransition into bypass mode when a predetermined IPS packet lossthreshold level is reached. In an embodiment of the invention, aconfiguration agent can be implemented to utilize information from theIPS, the IPS Edge Controller, observed traffic, and/or networkmanagement input to automatically and dynamically configure IPS EdgeController ports, as well as enabling “hitless” updates to the IPS,thereby resulting in decreased configuration work load. Otherembodiments of the invention include, but are not limited to, extendingthe implementation of proxy devices, virtual private networks (VPNs),session border controllers (SBCs), firewalls, protocol gateways, andother bump-in-the-wire systems. Those of skill in the art willunderstand that many such embodiments and variations of the inventionare possible, including but not limited to those described hereinabove,which are by no means all inclusive.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention may be better understood, and its numerousobjects, features and advantages made apparent to those skilled in theart by referencing the accompanying drawings. The use of the samereference number throughout the several figures designates a like orsimilar element.

FIG. 1 is a generalized block diagram illustrating an IntrusionPrevention System (IPS) as commonly implemented as a “Bump In The Wire”(BITW);

FIG. 2 is a generalized block diagram illustrating a plurality of IPSsas commonly implemented in a network environment;

FIG. 3 is a generalized block diagram illustrating an IPS as commonlyimplemented with a wiring closet switch;

FIG. 4 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as an IPS Edge Controller to provideadditional port pairs for a “Bump In Traffic Path” (BITP)-based IPS;

FIG. 5 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as an IPS Edge Controller providingadditional port pairs through a single, bi-directional ‘I’ link to aBITP-based IPS;

FIG. 6 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as two or more chained IPS EdgeControllers providing additional port pairs to BITP-based IPS;

FIG. 7 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as an IPS Edge Controller to provide loadbalancing for a BITP-based IPS;

FIG. 8 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as an IPS Edge Controller to provide highavailability for a BITP-based IPS;

FIG. 9 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controller to provideredundant availability for a BITP-based IPS;

FIG. 10 is a generalized illustration of a network environmentcomprising redundantly connected Layer 2/3 switches as commonlyimplemented;

FIG. 11 is a generalized illustration of a network environmentcomprising redundantly connected Layer 2/3 switches as commonlyimplemented with a BITW-based IPS;

FIG. 12 is a generalized illustration of an embodiment of the presentinvention as implemented in a network environment comprising redundantlyconnected Layer 2/3 switches to provide a BITP-based IPS, and;

FIG. 13 is a generalized illustration of an embodiment of the inventionas implemented in a network environment comprising redundantly connectedLayer 2/3 switches to provide a redundant BITP-based IPS.

DETAILED DESCRIPTION

IPS Edge Controller extends the implementation of one or more IntrusionPrevention Systems (IPSs) such that each user can be placed in the IPStraffic path to create secure containment areas at a granular level,port types and port counts are increased, higher network connectionspeeds are supported, traffic load is balanced across two or more IPSs,enhanced availability is enabled during system failures, replacements orupdates, and performance is improved through the use of “trusted” and“known bad” (i.e., discarded) traffic flows and decreased configurationtask workloads.

FIG. 1 is a generalized block diagram illustrating Intrusion PreventionSystem (IPS) 102 as commonly implemented as a “Bump In The Wire” (BITW).IPS 102 typically comprises one or more ports comprising Side ‘A’ 104and one or more ports comprising Side ‘B’ 106. The ports comprising Side‘A’ 104 and Side ‘B’ 106 are typically implemented to handlebidirectional network traffic. Incoming network traffic packets areexamined by IPS 102 for security threats, and if found, the packets arefiltered out or discarded instead of being forwarded to their intendeddestination.

FIG. 2 is a generalized block diagram illustrating a plurality ofIntrusion Prevention Systems (IPSs) 218, 228, 232, as commonlyimplemented in a network environment. In this illustration, internalsub-network ‘A’ 210 is comprised of client personal computer (PC) ‘1’212 through client PC ‘n’ 214, connected to switch ‘1’ 216, which inturn is connected to IPS ‘1’ 218. Internal sub-network ‘B’ 220 iscomprised of server ‘1’ 222 through server ‘n’ 224, connected to switch‘2’ 226, which in turn is connected to IPS ‘2’ 228. Internal sub-network‘A’ 210 and internal sub-network ‘B’ 220 are connected to router 230,which is connected to IPS ‘3’ 232, which in turn is connected toexternal network 234. IPS ‘3’ 232 is commonly implemented to prevent theintrusion of security threats into internal sub-network ‘A’ 210 andinternal sub-network ‘B’ 220 from external network 234.

IPS ‘1’ 218 provides additional intrusion protection by preventing theintrusion of security threats originating from internal sub-network ‘A’210. Likewise, IPS ‘2’ 228 provides additional intrusion protection bypreventing the intrusion of security threats originating from internalsub-network ‘B’ 220. As will be apparent to skilled practitioners of theart, the implementation of IPS ‘1’ 218 isolates intrusion issues tointernal sub-network 210, comprised of one or more client PCs 212through 214 and corresponding switch ‘1’ 216. Similarly, theimplementation of IPS ‘2’ 228 isolates intrusion issues to internalsub-network 220, comprised of one or more servers 222 through 224 andcorresponding switch ‘1’ 226.

FIG. 3 is a generalized block diagram illustrating Intrusion PreventionSystem (IPS) 410 as commonly implemented as a “Bump In The Wire” (BITW)with wiring closet switch 306. In this illustration, user ‘1’ 302through user ‘n’ 304 are connected to wiring closet switch 306, which isconnected to IPS 310, which in turn is connected to local area network(LAN) Backbone 312. As described in greater detail hereinabove, IPS 310is commonly implemented between a switch and a network to preventsecurity threats from being received from, or transmitted to, LANbackbone 312. However, while user ‘1’ 302 through user ‘n’ 304 areprotected from receiving and sending security threats through LANbackbone 312, they are not protected from each other, as peer-to-peertraffic can traverse wiring closet switch 306 without being examined byIPS 310 for security threats. The same security issues are equallyapplicable to implementations of proxy devices, virtual private networks(VPNs), session border controllers (SBCs), firewalls, protocol gateways,and other bump-in-the-wire systems known to those of skill in the art.

FIG. 4 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controller 408 to provideadditional port pairs for a “Bump In Traffic Path” (BITP) IntrusionPrevention System (IPS). In this embodiment of the invention, IPS EdgeController 408 comprises a plurality of side ‘A’ end-point ports(E-ports) E₁ 421, E₂ 422, E₃ 423, E₄ 424 and a corresponding pluralityof side ‘B’ E-ports E₁₉ 439, E₂₀ 440, E₂₁ 441, E₂₂ 442, which connect tonetwork end-points or other network infrastructures such as, but notlimited to, firewalls, routers or switches. IPS Edge Controller 408likewise comprises IPS ports (I-ports) I₂₃ 453 and I₂₄ 454, which areconnected to corresponding inbound link port I₁ 412 and outbound linkport I₂ 414 of IPS ‘1’ 410. E-ports and I-ports are grouped in pairs,with one E-port of the pair directly connected to side ‘A’ andindirectly connected to one of the I-ports. The other I-port of the pairis indirectly connected to the other E-port, which is directly connectedto side ‘B.’

In an embodiment of the invention, as network packets enter IPS EdgeController 408 on a side ‘A’ E-port, IPS Edge Controller 408 adds aVirtual Local Area Network (VLAN) tag to each packet to indicate whichside ‘B’ E-port the packet will exit after IPS processing. The packet isthen forwarded to the I-port corresponding to the side ‘A’ E-port, whichthen conveys the packet to IPS ‘1’ 410 for processing. Once IPSprocessing is complete, the packet is transmitted from the IPS ‘1’ 410to the I-port corresponding to the side ‘B’ E-port indicated in thepacket by the VLAN tag.

I-ports are divided into outbound and inbound groups. Outbound I-portsare combined using a link aggregation feature to form an outboundlogical I-port (OLIP). Inbound I-ports are typically configured suchthat Media Access Control (MAC) address learning is disabled and theyare made a member of all VLANs. E-ports are configured to redirecttraffic to the OLIP. Since the IPS Edge Controller performs the redirectfunction, all “unknown” (i.e., not identified as “trusted” or “knownbad”) traffic received on the E-port is directed to the OLIP. Given thatthe OLIP is a logical port, inbound traffic is load balanced at the flowlevel between ports.

In an embodiment of the invention, a plurality of incoming 100 Mbpsnetwork links A₁ 460, A₂ 462, A₃ 464, A₄ 466 are connected tocorresponding side ‘A’ E-ports E₁ 421, E₂ 422, E₃ 423, E₄ 424. Aspackets from each network link enter IPS Edge Controller 408, a VLAN tagis added to each packet to indicate which side ‘B’ E-port the packetwill exit after processing by IPS ‘1’ 410. In this embodiment of theinvention, traffic flows from E-ports E₁ 421, E₂ 422, E₃ 423, E₄ 424 arecombined, or “fanned-in”, to I-port I₂₃ 453. The combined traffic flowsare then conveyed by I-port I₂₃ 453 via 1 Gbps network link 480 toinbound IPS link port I₁ 412 of IPS ‘1’ 410 for processing. Once IPSprocessing is complete, the combined traffic flows are conveyed throughoutbound IPS link port I₂ 414 via 1 Gbps network link 481 to I-port I₂₄454. As the combined traffic flows are received by I-port I₂₄ 454, IPSEdge Controller 408 examines the added VLAN tag of each packet todetermine its indicated exit E-port, removes the VLAN tag from thepacket, and then transmits the resulting packet to indicated side ‘B’E-ports E₁₉ 439, E₂₀ 440, E₂₁ 441, E₂₂ 442, which are respectivelyconnected to outgoing 100 Mbps network links B₁ 461, B₂ 463, B₃ 465, B₄467. In this embodiment of the invention, the 1 Gbps bandwidth ofnetwork link 480, connecting I-port I₂₃ 453 and inbound IPS link port I₁412 of IPS ‘1’ 410, can accommodate the combined bandwidth of incoming100 Mbps network links A₁ 460, A₂ 462, A₃ 464, A₄ 466, and the 1 Gbpsbandwidth of network link 481 connecting IPS outbound link port I₂ 414of IPS ‘1’ 410 and I-port I₂₄ 454 can similarly accommodate the combinedbandwidth of outgoing 100 Mbps network links B₁ 461, B₂ 463, B₃ 465, B₄467.

In different embodiments of the invention, the IPS Edge Controller canbe used to implement “trusted” traffic flows that bypass IPS inspectionfor increased performance. For example, voice-over-IP (VoIP) traffic canbe designated as “trusted” and not requiring IPS processing, therebypreserving IPS resources for other uses. Trusted traffic flows areimplemented by creating access control lists (ACLs) on IPS EdgeController side ‘A’ E-ports 421, 422, 423, 424 that allow “trusted”flows to bypass the IPS and be transmitted as normal out ofcorresponding side ‘B’ E-ports 439, 440, 441, 442.

In an embodiment of the invention, IPS 410 and IPS Edge Controller 408are physically separated and directly coupled via cables, such as butnot limited to, copper wire or fiberoptic cables. In another embodimentof the invention, IPS 410 and IPS Edge Controller 408 are physicallyseparated and remotely coupled via long cables, such as but not limitedto, copper wire or fiberoptic cables.

FIG. 5 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controller 408 providingadditional port pairs through a single, bi-directional ‘I’ link 582 to“Bump In Traffic Path” (BITP) Intrusion Prevention System (IPS) 510. Inthis embodiment of the invention, IPS Edge Controller 408 comprises aplurality of side ‘A’ end-point ports (E-ports) E₁ 421, E₂ 422, E₃ 423,E₄ 424 and a corresponding plurality of side ‘B’ E-ports E₁₉ 439, E₂₀440, E₂₁ 441, E₂₂ 442, which connect to network end-points or othernetwork infrastructures such as, but not limited to, firewalls, routersor switches. IPS Edge Controller 408 likewise comprises bi-directionalIPS port (I-port) I₂₅ 555, which is connected to correspondingbi-directional inbound/outbound link port I₃ 516 of IPS ‘1’ 510 by asingle cable.

In this embodiment of the invention, E-ports and I-ports are grouped inpairs, with one E-port of the pair directly connected to side ‘A,’ theother directly connected to side ‘B,’ and both indirectly connected tobi-directional I-port I₂₅ 555. As network packets enter IPS EdgeController 408 on a side ‘A’ E-port, IPS Edge Controller 408 adds aVirtual Local Area Network (VLAN) tag to each packet to indicate whichside ‘B’ E-port the packet will exit after IPS processing. The packet isthen forwarded to bi-directional I-port I₂₅ 555, which then conveys thepacket to IPS ‘1’ 510 for processing. Once IPS ‘1’ 510 completesprocessing of the packet, it is transmitted through bi-directionalI-port I₂₅ 555 to the side ‘B’ E-port indicated in the packet by theVLAN tag.

I-ports are divided into outbound and inbound groups. Outbound I-portsare combined using a link aggregation feature to form an outboundlogical I-port (OLIP). Inbound I-ports are typically configured suchthat Media Access Control (MAC) address learning is disabled and theyare made a member of all VLANs. E-ports are configured to redirecttraffic to the OLIP. Since the IPS Edge Controller performs the redirectfunction, all “unknown” (i.e., not identified as “trusted” or “knownbad”) traffic received on the E-port is directed to the OLIP. Given thatthe OLIP is a logical port, inbound traffic is load balanced at the flowlevel between ports.

In an embodiment of the invention, a plurality of incoming 100 Mbpsnetwork links A₁ 460, A₂ 462, A₃ 464, A₄ 466 are connected tocorresponding side ‘A’ E-ports E₁ 421, E₂ 422, E₃ 423, E₄ 424. Aspackets from each network link enter IPS Edge Controller 408, a VLAN tagis added to each packet to indicate which side ‘B’ E-port the packetwill exit after processing by IPS ‘1’ 510. In this embodiment of theinvention, traffic flows from E-ports E₁ 421, E₂ 422, E₃ 423, E₄ 424 arecombined, or “fanned-in,” to bi-directional I-port I₂₅ 555. The combinedtraffic flows are then conveyed by bi-directional I-port I₂₅ 555 via 1Gbps network link 582 to bi-directional inbound/outbound IPS link portI₃ 516 of IPS ‘1’ 510 for processing. Once IPS processing is complete,the combined traffic flows are conveyed through bi-directionalinbound/outbound IPS link port I₃ 516 via 1 Gbps network link 582 tobi-directional I-port I₂₅ 555. As the combined traffic flows arereceived by bi-directional I-port I₂₅ 555, IPS Edge Controller 408examines the added VLAN tag of each packet to determine its indicatedexit E-port, removes the VLAN tag from the packet, and then transmitsthe resulting packet to indicated side ‘B’ E-ports E₁₉ 439, E₂₀ 440, E₂₁441, E₂₂ 442, which are respectively connected to outgoing 100 Mbpsnetwork links B₁ 461, B₂ 463, B₃ 465, B₄ 467. In this embodiment of theinvention, the 1 Gbps bandwidth of network link 582, connectingbi-directional I-port I₂₅ 555 and bi-directional inbound/outbound IPSlink port I₃ 516 of IPS ‘1’ 510, can accommodate the combined bandwidthof incoming 100 Mbps network links A₁ 460, A₂ 462, A₃ 464, A₄ 466, andthe combined bandwidth of outgoing 100 Mbps network links B₁ 461, B₂463, B₃ 465, B₄ 467. In an embodiment of the invention, IPS 510 and IPSEdge Controller 408 are physically separated and directly coupled viacables, such as but not limited to, copper wire or fiberoptic cables. Inanother embodiment of the invention, IPS 510 and IPS Edge Controller 408are physically separated and remotely coupled via long cables, such asbut not limited to, copper wire or fiberoptic cables.

FIG. 6 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as two or more chained IPS EdgeControllers 408, 608, 616 providing additional port pairs to “Bump InTraffic Path” (BITP) Intrusion Prevention System (IPS) 510. In thisembodiment of the invention, IPS Edge Controller ‘A’ 408 comprises aplurality of side ‘A’ end-point ports (E-ports) E₂ 422, E₄ 424,connected to I-ports I₂₃ 653 and I₂₃ 663 of IPS Edge Controller ‘B’ 608and IPS Edge Controller ‘C’ 616 respectively, and a correspondingplurality of side ‘B’ E-ports E₂₀ 440, E₂₂ 442, which connect to I-portsI₂₄ 654 and I₂₄ 664 of IPS Edge Controller ‘B’ 608 and IPS EdgeController ‘C’ 616, respectively. IPS Edge Controller 408 likewisecomprises IPS ports (I-ports) I₂₃ 453 and I₂₄ 454, which are connectedto corresponding inbound link port I₁ 412 and outbound link port I₂ 414of IPS ‘1’ 410. IPS Edge Controller ‘B’ 608 comprises a plurality ofside ‘A’ end-point ports (E-ports) E₂ 622, E₄ 624 and a correspondingplurality of side ‘B’ E-ports E₂₀ 640, E₂₂ 642, which connect to networkend-points or other network infrastructures such as, but not limited to,firewalls, routers or switches. IPS Edge Controller 608 likewisecomprises IPS ports (I-ports) I₂₃ 653 and I₂₄ 654, which are connectedto corresponding E-ports E₂ 422, E₂₀ 440 of IPS Edge Controller ‘A’ 408.IPS Edge Controller ‘C’ 616 comprises a plurality of side ‘A’ end-pointports (E-ports) E₂ 632, E₄ 634 and a corresponding plurality of side ‘B’E-ports E₂₀ 650, E₂₂ 652, which connect to network end-points or othernetwork infrastructures such as, but not limited to, firewalls, routersor switches. IPS Edge Controller 616 likewise comprises IPS ports(I-ports) I₂₃ 663 and I₂₄ 664, which are connected to correspondingE-ports E₄ 424, E₂₂ 442 of IPS Edge Controller ‘A’ 408.

As network packets enter IPS Edge Controller ‘B’ 608 on a side ‘A’E-port, IPS Edge Controller ‘B’ 608 adds a first Virtual Local AreaNetwork (VLAN) tag to each packet to indicate which side ‘B’ E-port thepacket will exit after IPS processing. The packet is then forwarded tothe I-port corresponding to the side ‘A’ E-port, which conveys thepacket to a side ‘A’ E-port on IPS Edge Controller ‘A’ 408, which adds asecond VLAN tag to indicate which side ‘B’ E-port the packet will exitafter IPS processing. The packet is then forwarded to the I-portcorresponding to the side ‘A’ E-port, which then conveys the packet toIPS ‘1’ 410 for processing. Once IPS processing is complete, the packetis transmitted from IPS ‘1’ 410 to the I-port corresponding to the side‘B’ E-port of IPS Edge Controller ‘A’ 408 indicated by the second VLANtag in the packet, which then forwards the packet to the I-portcorresponding to the side ‘B’ E-port of IPS Edge Controller ‘B’ 608 asindicated by the first VLAN tag in the packet. Likewise, as networkpackets enter IPS Edge Controller ‘C’ 616 on a side ‘A’ E-port, IPS EdgeController ‘C’ 616 adds a first VLAN tag to each packet to indicatewhich side ‘B’ E-port the packet will exit after IPS processing. Thepacket is then forwarded to the I-port corresponding to the side ‘A’E-port, which conveys the packet to a side ‘A’ E-port on IPS EdgeController ‘A’ 408, which adds a second VLAN tag to indicate which side‘B’ E-port the packet will exit after IPS processing. The packet is thenforwarded to the I-port corresponding to the side ‘A’ E-port, which thenconveys the packet to IPS ‘1’ 410 for processing. Once IPS processing iscomplete, the packet is transmitted from IPS ‘1’ 410 to the I-portcorresponding to the side ‘B’ E-port of IPS Edge Controller ‘A’ 408indicated by the second VLAN tag in the packet, which then forwards thepacket to the I-port corresponding to the side ‘B’ E-port of IPS EdgeController ‘C’ 616 as indicated by the first VLAN tag in the packet.

In an embodiment of the invention, a plurality of incoming 100 Mbpsnetwork links A₁ 460, A₃ 464 are connected to corresponding side ‘A’E-ports E₂ 622, E₄ 624 of IPS Edge Controller ‘B’ 608. As packets fromeach network link enter IPS Edge Controller ‘B’ 608, a first VLAN tag isadded to each packet to indicate which side ‘B’ E-port the packet willexit after processing by IPS ‘1’ 410. In this embodiment of theinvention, traffic flows from E-ports E₂ 622, E₄ 624 are combined, or“fanned-in,” to I-port I₂₃ 653 and then conveyed via 100 Mbps link A₅668 to side ‘A’ E-port E₂ 422 of IPS Edge Controller ‘A’ 408. Likewise,a plurality of incoming 100 Mbps network links A₂ 462, A₄ 466 areconnected to corresponding side ‘A’ E-ports E₂ 632, E₄ 634 of IPS EdgeController ‘C’ 616. As packets from each network link enter IPS EdgeController ‘C’ 616, a first VLAN tag is added to each packet to indicatewhich side ‘B’ E-port the packet will exit after processing by IPS ‘1’410. In this embodiment of the invention, traffic flows from E-ports E₂632, E₄ 634 are combined, or “fanned-in,” to I-port I₂₃ 663 and thenconveyed via 100 Mbps link A₆ 670 to side ‘A’ E-port E₄ 424 of IPS EdgeController ‘A’ 408.

As packets from 100 Mbps links A₅ 668 and A₆ 670 enter IPS EdgeController ‘A’ 408 through ‘A’ side E-ports E₂ 422 and E₄ 424respectively, a second VLAN tag is added to each packet to indicatewhich side ‘B’ E-port the packet will exit after processing by IPS ‘1’410. In this embodiment of the invention, traffic flows from E-ports E₂422, E₄ 424 are combined, or “fanned-in,” to I-port I₂₃ 453 and thenconveyed via 1 Gbps link 480 to inbound IPS link port I₁ 412 of IPS ‘1’410 for processing. Once IPS processing is complete, the combinedtraffic flows are conveyed through outbound IPS link port I₂ 414 via 1Gbps network link 481 to I-port I₂₄ 454. As the combined traffic flowsare received by I-port I₂₄ 454, IPS Edge Controller 408 examines thesecond VLAN tag of each packet to determine its indicated exit E-port,removes the second VLAN tag from the packet, and then transmits theresulting packet to indicated side ‘B’ E-ports E₂₀ 440, E₂₂ 442, whichare respectively connected to outgoing 100 Mbps network links B₅ 669 andB₆ 671. The packets are then forwarded to I-port I₂₄ 654 of IPS EdgeController ‘B’ 608 or I-port I₂₄ 664 of IPS Edge Controller ‘C’ 616which remove the first VLAN tag from the packet and then forwards thepacket to the corresponding side ‘B’ E-port E₂₀ 640, E₂₂ 642 of IPS EdgeController ‘B’ 608, respectively connected to outgoing 100 Mbps networklinks B₁ 461, B₃ 465, or to the corresponding side ‘B’ E-port E₂₀ 650,E₂₂ 652 of IPS Edge Controller ‘C’ 616, respectively connected tooutgoing 100 Mbps network links B₂ 463, B₄ 467, as indicated by thefirst VLAN tag in the packet.

In this embodiment of the invention, the 1 Gbps bandwidth of networklink 480, connecting I-port I₂₃ 453 and inbound IPS link port I₁ 412 ofIPS ‘1’ 410, can accommodate the combined bandwidth of incoming 100 Mbpsnetwork links A₁ 460, A₃ 464 originating from IPS Edge Controller ‘B’608 and incoming 100 Mbps network links A₂ 462, A₄ 466 originating fromIPS Edge Controller ‘C’ 616. Likewise, the 1 Gbps bandwidth of networklink 481 connecting IPS outbound link port I₂ 414 of IPS ‘1’ 410 andI-port I₂₄ 454 can similarly accommodate the combined bandwidth ofoutgoing 100 Mbps network links B₁ 461, B₃ 465 emanating from IPS EdgeController ‘B’ 608 and outgoing 100 Mbps network links B₂ 463, B₄ 467emanating from IPS Edge Controller ‘C’ 616.

In an embodiment of the invention, IPS 410, IPS Edge Controller ‘A’ 408,IPS Edge Controller ‘B’ 608, and IPS Edge Controller ‘C’ 616 arephysically separated and directly coupled via cables, such as but notlimited to, copper wire or fiberoptic cables. In another embodiment ofthe invention, IPS 410, IPS Edge Controller ‘A’ 408, IPS Edge Controller‘B’ 608, and IPS Edge Controller ‘C’ 616 are physically separated andremotely coupled via long cables, such as but not limited to, copperwire or fiberoptic cables. In an embodiment of the invention, one ormore IPS Edge Controllers are physically placed between access ports andLayer 2 switches, which in turn are connected to an IPS Edge Controllerconnected to a Layer 3 switch, allowing further segmentation granularityof IPS-secured containment areas, thereby providing an IPS-protectednetwork area at the access port level.

FIG. 7 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controller 408 to provide loadbalancing for a “Bump In Traffic Path” (BITP) Intrusion PreventionSystem (IPS). In this embodiment of the invention, IPS Edge Controller408 comprises side ‘A’ E-port E₁ 721 and side ‘B’ E-port E₁₉ 729, whichconnect to network end-points or other network infrastructures asdescribed in greater detail hereinabove. IPS Edge Controller 408similarly comprises I-port pairs I₁₃ 735, I₁₄ 736 through I₂₃ 753, I₂₄754, which are connected to corresponding IPS link ports I₁ 712, I₂ 714of IPS ‘1’ 710 through IPS link ports I₁ 718, I₂ 720 of IPS ‘10’ 716.

In this embodiment of the invention, E-port E₁ 721 is directly connectedto side ‘A’ and indirectly connected to I-ports I₁₃ 735 through I₂₃ 753,and similarly, I-ports I₁₄ 736 through I₂₄ 754 are indirectly connectedto E-port E₉ 729, which is directly connected to side ‘B.’ As networkpackets from 1 OGbps network link ‘A₁’ 790 enter IPS Edge Controller 408through side ‘A’ E-port E₁ 721, IPS Edge Controller 408 spreads thenetwork traffic flow across IPS ‘1’ 710 through IPS ‘10’ 716 to balancethe traffic load. Each packet is forwarded by IPS Edge Controller 408 toassigned I-ports I₁₃ 735 through I₂₃ 753, which then convey packetsrespectively via 1 Gbps links 784 through 786 to corresponding inboundIPS link ports I₁ 712 of IPS ‘1’ 710 through I₁ 718 of IPS ‘10’ 716.

Once IPS processing is complete, each packet is transmitted from IPS ‘1’710 through IPS ‘10’ 716 via corresponding IPS port links I₂ 714 throughI₂ 720 via their respective 1 Gbps network links 785 through 787 tocorresponding I-ports I₁₄ 736 through I₂₄ 754. As IPS-processed packetsarrive at I-ports I₁₄ 736 through I₂₄ 754, IPS Edge Controller 408aggregates the processed packets into a combined traffic stream that isthen conveyed to side ‘B’ E-port E₉ 729, which is connected to 10 Gbpsnetwork link ‘B₁’ 791.

In this embodiment of the invention, the 1 Gbps bandwidth of networklinks 784 through 786, connecting I-ports I₁₃ 735 through I₂₃ 753 andinbound IPS link ports I₁ 712 through I₁ 718 of IPS ‘1’ 710 and IPS ‘10’716 respectively, when combined, can accommodate the bandwidth ofincoming 10 Gbps network link A₁ 790 connected to E-port E₁ 721, and the1 Gbps bandwidth of network links 785 through 787, connecting I-portsI₁₄ 736 through I₂₄ 754 and outbound IPS link ports I₂ 714 through I₂720 of IPS ‘1’ 710 through IPS ‘10’ 716 respectively, when combined, cansimilarly accommodate the bandwidth of outgoing 10 Gbps network link B₁791 connected to E-port E₉ 729. In an embodiment of the invention, IPS‘1’ 710 through IPS ‘10’ 716 and IPS Edge Controller 408 are physicallyseparated and directly coupled via cables, such as but not limited to,copper wire or fiberoptic cables. In another embodiment of theinvention, IPS ‘1’ 710 through IPS ‘10’ 716 and IPS Edge Controller 408are physically separated and remotely coupled via long cables, such asbut not limited to, copper wire or fiberoptic cables.

FIG. 8 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controller 408 to provide highavailability for a “Bump In Traffic Path” (BITP) Intrusion PreventionSystem (IPS). In this embodiment of the invention, IPS Edge Controller408 comprises side ‘A’ E-ports E₁ 721, E₂ 822, and side ‘B’ E-ports E₉729, E₁₀ 830, which connect to network end-points or other networkinfrastructures as described in greater detail hereinabove. IPS EdgeController 408 similarly comprises I-port pairs I₁₃ 735, I₁₄ 736 throughI₂₃ 753, I₂₄ 754, which are connected to corresponding IPS link ports I₁712, I₂ 714 of IPS ‘1’ 710 through IPS link ports I₁ 718, I₂ 720 of IPS‘10’ 716.

In this embodiment of the invention, E-ports E₁ 721 and E₂ 822 aredirectly connected to side ‘A’ and indirectly connected to I-ports I₁₃735 through I₂₃ 753, and similarly, I-ports I₁₄ 736 through I₂₄ 754 areindirectly connected to E-ports E₉ 729 and E₁₀ 830, which are directlyconnected to side ‘B.’ As network packets from 10 Gbps network links‘A₁’ 790, ‘A₂’ 892 enter IPS Edge Controller 408 through side ‘A’E-ports E₁ 721, E₂ 822, IPS Edge Controller 408 adds a VLAN tag to eachpacket to indicate which side ‘B’ E-port the packet will exit after IPSprocessing. IPS Edge Controller 408 then spreads the network trafficflows from E-ports E₁ 721, E₂ 822 across IPS‘1’ 710 through IPS ‘10’ 716to balance the traffic. Each packet is forwarded by IPS Edge Controller408 to assigned I-ports I₁₃ 735 through I₂₃ 753, which then conveyspackets respectively via 1 Gbps links 784 through 786 to correspondinginbound IPS link ports I₁ 712 of IPS ‘1’ 710 through I₁ 718 of IPS ‘10’716.

Once IPS processing is complete, each packet is transmitted from of IPS‘1’ 710 through IPS ‘10’ 716 via corresponding IPS port links I₂ 714through I₂ 720 via their respective 1 Gbps network links 785 through 787to corresponding I-ports I₁₄ 736 through I₂₄ 754. As IPS-processedpackets arrive at I-ports I₁₄ 736 through I₂₄ 754, IPS Edge Controller408 examines the added VLAN tag of each packet to determine itsindicated exit E-port, removes the VLAN tag from the packet, and thenconveys the resulting packet to indicated side ‘B’ E-ports E₉ 729, E₁₀830, which are respectively connected to outgoing 10 Gbps network linksB₁ 791, B₂ 893.

In this embodiment of the invention, 10 Gbps network links ‘A₁’ 790,‘A₂’ 892 are typically implemented for redundancy and/or highavailability and as such are not generally operated at their fullcapacity. Accordingly, the combined 1 Gbps bandwidth of network links784 through 786, connecting I-ports I₁₃ 735 through I₂₃ 753 and inboundIPS link ports I₁ 712 through I₁ 718 of IPS ‘1’ 710 through IPS ‘10’ 716respectively, can typically accommodate the combined bandwidth ofincoming, non-full-capacity 10 Gbps network links ‘A₁’ 790, ‘A2’ 892,respectively connected to E-ports E₁ 721 and E₂ 822, and similarly, thecombined 1 Gbps bandwidth of network links 785 through 787, connectingI-ports I₁₄ 736 through I₂₄ 754 and outbound IPS link ports I₂ 714through I₂ 720 of IPS ‘1’ 710 through IPS ‘10’ 716 respectively, cantypically accommodate the combined bandwidth of outgoing 10 Gbps networklinks ‘B1’ 791, ‘B₂’ 893, respectively connected to E-ports E₉ 729 andE₁₀ 830. Should one or more IPS ‘1’ 710 through IPS ‘10’ 716 be removedfrom service, the remaining IPSs are therefore capable of sustainingprocessing operations for the combined traffic flows of incoming 10 Gbpsnetwork links ‘A₁’ 790, ‘A2’ 892 and outgoing 10 Gbps network links ‘B1’791, ‘B₂’ 893. Similarly, should either incoming 10 Gbps network links‘A₁’ 790, ‘A₂’ 892 fail or be removed from service, the remaining 10Gbps network link would typically operate at full capacity, with theresulting network traffic load being distributed across IPS ‘1’ 710through IPS ‘10’ 716 as described in greater detail hereinabove, therebyproviding high availability and continuity of IPS protection. In anembodiment of the invention, IPS ‘1’ 710 through IPS ‘10’ 716 and IPSEdge Controller 408 are physically separated and directly coupled viacables, such as but not limited to, copper wire or fiberoptic cables. Inanother embodiment of the invention, IPS ‘1’ 710 through IPS ‘10’ 716and IPS Edge Controller 408 are physically separated and remotelycoupled via long cables, such as but not limited to, copper wire orfiberoptic cables.

FIG. 9 is a generalized block diagram illustrating an embodiment of thepresent invention implemented as IPS Edge Controllers ‘A’ 940 and ‘B’950 to provide redundant availability for a “Bump In Traffic Path”(BITP) Intrusion Prevention System (IPS). In this embodiment of theinvention, IPS Edge Controller ‘A’ 940 comprises side ‘A’ E-ports E₁927, E₂ 928, which connect to Layer 2 access switches ‘A’ 902, ‘B’ 904,via 1 Gbps network links ‘A₁’ 960, ‘A₂’ 962 respectively, and side ‘B’E-ports E₉ 929, E₁₀ 930, which connect to Layer 3 distribution switches‘A’ 906, ‘B’ 908, via 1 Gbps network links ‘B₁’ 961, ‘B₂’ 963respectively. IPS Edge Controller ‘A’ 908 similarly comprises I-portpairs I₁₃ 931, I₁₄ 932 and I₂₃ 933, I₂₄ 934, which are connected tocorresponding IPS link ports I₁ 912, I₂ 914 of IPS ‘1’ 950 and IPS linkports I₁ 918, I₂ 920 of IPS ‘2’ 916. IPS Edge Controller ‘B’ 950similarly comprises side ‘A’ E-ports E₁ 971, E₂ 972, which connect toLayer 2 access switches ‘A’ 902, ‘B’ 904, via 1 Gbps network links ‘A₃’964, ‘A₄’ 966 respectively, and side ‘B’ E-ports E₉ 973, E₁₀ 974, whichconnect to Layer 3 distribution switches ‘A’ 906, ‘B’ 908, via 1 Gbpsnetwork links ‘B₃’ 965, ‘B₄’ 967 respectively. IPS Edge Controller 908similarly comprises I-port pairs I₁₃ 975, I₁₄ 976 and I₂₃ 977, I₂₄ 978,which are connected to corresponding IPS link ports I₃ 913, I₄ 915 ofIPS ‘1’ 910 and IPS link ports I₃ 919, I₄ 921 of IPS ‘2’ 916. Note thatin this embodiment of the invention, IPS ‘1’ 910 and IPS ‘2’ 916 eachcomprise four IPS link ports, allowing redundant connections to IPS EdgeControllers ‘A’ 908 and ‘B’ 950.

In this embodiment of the invention, E-ports E₁ 927 and E₂ 928 of IPSEdge Controller ‘A’ 908 are directly connected to side ‘A’ andindirectly connected to I-ports I₁₃ 931, I₂₃ 933, and similarly, I-portsI₁₄ 932, I₂₄ 934 are indirectly connected to E-ports E₉ 929 and E₁₀ 930,which are directly connected to side ‘B.’ As network packets from 1 Gbpsnetwork links ‘A₁’ 960, ‘A₂’ 962 enter IPS Edge Controller ‘A’ 908through side ‘A’ E-ports E₁ 927, E₂ 928, IPS Edge Controller ‘A’ 908adds a VLAN tag to each packet to indicate which side ‘B’ E-port thepacket will exit after IPS processing. IPS Edge Controller ‘A’ 908 thenspreads the network traffic flows from E-ports E₁ 927, E₂ 928 across IPS‘1’ 910 and IPS ‘2’ 916 to balance the traffic. Each packet is forwardedby IPS Edge Controller ‘A’ 908 to assigned I-ports I₁₃ 931, I₂₃ 933,which then convey packets respectively via 1 Gbps links 981, 983 tocorresponding inbound IPS link ports I₁ 912 of IPS ‘1’ 910 and I₁ 918 ofIPS ‘2’ 916.

Once IPS processing is complete, each packet is transmitted from IPS ‘1’910 and IPS ‘2’ 916 via corresponding IPS port links I₂ 914, I₂ 920 viatheir respective 1 Gbps network links 982, 984 to corresponding I-portsI₁₄ 932, I₂₄ 934. As IPS-processed packets arrive at I-ports I₁₄ 932,I₂₄ 934, IPS Edge Controller ‘A’ 908 examines the added VLAN tag of eachpacket to determine its indicated exit E-port, removes the VLAN tag fromthe packet, and then conveys the resulting packet to indicated side ‘B’E-ports E₉ 929, E₁₀ 930, which are respectively connected to outgoing 1Gbps network links B₁ 961, B₂ 963.

Similarly, E-ports E₁ 971 and E₂ 972 of IPS Edge Controller ‘B’ 950 aredirectly connected to side ‘A’ and indirectly connected to I-ports I₁₃975, I₂₃ 977, and similarly, I-ports I₁₄ 976, I₂₄ 978 are indirectlyconnected to E-ports E₉ 973 and E₁₀ 974, which are directly connected toside ‘B.’ As network packets from 1 Gbps network links ‘A₃’ 964, ‘A₄’966 enter IPS Edge Controller ‘B’ 950 through side ‘A’ E-ports E₁ 971,E₂ 972, IPS Edge Controller ‘B’ 950 adds a VLAN tag to each packet toindicate which side ‘B’ E-port the packet will exit after IPSprocessing. IPS Edge Controller ‘B’ 950 then spreads the network trafficflows from E-ports E₁ 971, E₂ 972 across IPS ‘1’ 910 and IPS ‘2’ 916 tobalance the traffic. Each packet is forwarded by IPS Edge Controller ‘B’950 to assigned I-ports I₁₃ 757, I₂₃ 977, which then convey packetsrespectively via 1 Gbps links 985, 987 to corresponding inbound IPS linkports I₃ 913 of IPS ‘1’ 910 and I₃ 919 of IPS ‘2’ 916.

Once IPS processing is complete, each packet is transmitted from IPS ‘1’910 and IPS ‘2’ 916 via corresponding IPS port links I₄ 915, I₄ 921 viatheir respective 1 Gbps network links 986, 988 to corresponding I-portsI₁₄ 976, I₂₄ 978. As IPS-processed packets arrive at I-ports I₁₄ 976,I₂₄ 978, IPS Edge Controller ‘B’ 950 examines the added VLAN tag of eachpacket to determine its indicated exit E-port, removes the VLAN tag fromthe packet, and then conveys the resulting packet to indicated side ‘B’E-ports E₉ 973, E₁₀ 974, which are respectively connected to outgoing 1Gbps network links B₃ 965, B₄ 967.

In this embodiment of the invention, 1 Gbps network links ‘A₁’ 960, ‘A₂’962, A₃’ 964, ‘A₄’ 966, B₁’ 961, ‘B₂’ 963, B₃’ 965, ‘B₄’ 967 aretypically implemented for redundancy and/or high availability and assuch are not generally operated at their full capacity. Accordingly, thecombined bandwidth of 1 Gbps network links 981, 983, connecting I-portsI₁₃ 931, I₂₃ 933 and IPS link ports I₁ 912, I₁ 918 of IPS ‘1’ 910 andIPS ‘2’ 916 respectively, can typically accommodate the combinedbandwidth of incoming, non-full-capacity 1 Gbps network links ‘A₁’ 960,‘A₂’ 962, respectively connected to E-ports E₁ 927 and E₂ 928, andsimilarly, the combined 1 Gbps bandwidth of network links 982, 986,connecting I-ports I₁₄ 932, I₂₄ 934 and outbound IPS link ports I₂ 914,I₂ 920 of IPS ‘1’ 910 and IPS ‘2’ 916 respectively, can typicallyaccommodate the combined bandwidth of outgoing 1 Gbps network links ‘B1’961, ‘B₂’ 963, respectively connected to E-ports E₉ 929 and E₁₀ 930.Should IPS ‘1’ 910 or IPS ‘2’ 916 be removed from service, the remainingIPS is therefore capable of sustaining processing operations for thecombined traffic flows of incoming 1 Gbps network links ‘A₁’ 960, ‘A₂’962 and outgoing 1 Gbps network links ‘B₁’ 961, ‘B₂’ 963. Similarly,should either incoming 1 Gbps network links ‘A₁’ 960, ‘A₂’ 961 fail orbe removed from service, the remaining 1 Gbps network link wouldtypically operate at full capacity, with the resulting network trafficload being distributed across IPS ‘1’ 910 and IPS ‘2’ 916 as describedin greater detail hereinabove, thereby providing high availability andcontinuity of IPS protection. Similarly, the combined 1 Gbps bandwidthof network links 985, 987, connecting I-ports I₁₃ 975, I₂₃ 977 andinbound IPS link ports I₃ 913, I₃ 919 of IPS ‘1’ 910 and IPS ‘2’ 916respectively, can typically accommodate the combined bandwidth ofincoming, non-full-capacity 1 Gbps network links ‘A₃’ 964, ‘A₄’ 966,respectively connected to E-ports E₁ 971 and E₂ 972, and similarly, thecombined bandwidth of 1 Gbps network links 986, 988, connecting I-portsI₁₄ 976, I₂₄ 978 and outbound IPS link ports I₄ 915, I₄ 921 of IPS ‘1’910 and IPS ‘2’ 916 respectively, can typically accommodate the combinedbandwidth of outgoing 1 Gbps network links ‘B₃’ 965, ‘B₄’ 967,respectively connected to E-ports E₉ 973 and E₁₀ 974. Should IPS ‘1’ 910or IPS ‘2’ 916 be removed from service, the remaining IPS is thereforecapable of sustaining processing operations for the combined trafficflows of incoming 1 Gbps network links ‘A₃’ 964, ‘A₄’ 966 and outgoing 1Gbps network links ‘B₃’ 965, ‘B₄’ 967. Similarly, should either incoming1 Gbps network links ‘A₃’ 964, ‘A₄’ 966 fail or be removed from service,the remaining 1 Gbps network link would typically operate at fullcapacity, with the resulting network traffic load being distributedacross IPS ‘1’ 910 and IPS ‘10’ 916 as described in greater detailhereinabove, thereby providing high availability and continuity of IPSprotection.

Furthermore, in different embodiments of the invention, should IPS EdgeController ‘A’ 908 or ‘B’ 950 fail or be removed from service, theremaining IPS Edge Controller can sustain operations, dependent uponcombined network traffic loads, by forwarding traffic flows to IPS ‘1’910 and IPS ‘2’ 916 as described in more detail hereinabove.

In an embodiment of the invention, IPS ‘1’ 910, IPS ‘2’ 916, IPS EdgeController ‘A’ 908, and IPS Edge Controller ‘B’ 950 are physicallyseparated and directly coupled via cables, such as but not limited to,copper wire or fiberoptic cables. In another embodiment of theinvention, IPS ‘1’ 910, IPS ‘2’ 916, IPS Edge Controller ‘A’ 908, andIPS Edge Controller ‘B’ 950 are physically separated and remotelycoupled via long cables, such as but not limited to, copper wire orfiberoptic cables.

FIG. 10 is a generalized illustration of a network environmentcomprising redundantly connected Layer 2/3 switches as commonlyimplemented. In this illustration, Layer 3 distribution switches ‘A’1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012 are redundantly connected to Layer2/3 core switches ‘A’ 1002 and ‘B’ 1004. Layer 2 access switches ‘A’1028, ‘B’ 1030, ‘C’ 1032 respectively provide access ports 1038, 1040,1042, and are redundantly connected to Layer 3 distribution switches ‘A’1006 and ‘B’ 1008. Layer 2 access switches ‘D’ 1034, ‘E’ 1036respectively provide access ports 1044, 1046, and are redundantlyconnected to Layer 3 distribution switches ‘C’ 1010 and ‘D’ 1012.

Protected connectivity to Extranet 1056 is provided through Wide AreaNetwork (WAN) router 1054, which precedes and is connected to Layer 2/3core switch ‘A’ 1002. Protected connectivity to the Internet 1052 issimilarly provided through WAN router 1050, which precedes and isconnected to firewall 1048, which likewise precedes and is connected toLayer 2/3 core switch ‘A’ 1002. Note that in this illustration, thenetwork receives limited protection from firewalls 1048, 1052 and thatno other intrusion detection or prevention systems are implemented.

FIG. 11 is a generalized illustration of a network environmentcomprising redundantly connected Layer 2/3 switches as commonlyimplemented with a “Bump In The Wire” (BITW) Intrusion Prevention System(IPS). In this illustration, Layer 3 distribution switches ‘A’ 1006, ‘B’1008, ‘C’ 1010, ‘D’ 1012 are redundantly connected to IPS ‘A’ 1116 andIPS ‘B’ 1120, which in turn are redundantly connected to Layer 2/3 coreswitches ‘A’ 1002 and ‘B’ 1004. Layer 2 access switches ‘A’ 1028, ‘B’1030, ‘C’ 1032 respectively provide access ports 1038, 1040, 1042, andare redundantly connected to Layer 3 distribution switches ‘A’ 1006 and‘B’ 1008. Layer 2 access switches ‘D’ 1034, ‘E’ 1036 respectivelyprovide access ports 1044, 1046, and are redundantly connected to Layer3 distribution switches ‘C’ 1010 and ‘D’ 1012.

Protected connectivity to Extranet 1056 is provided through WAN router1054, which precedes and is connected to IPS ‘C’ 1124, which in turnprecedes and is connected to Layer 2/3 core switch ‘A’ 1002. Protectedconnectivity to the Internet 1052 is similarly provided through WANrouter 1050, which precedes and is connected to IPS ‘D’ 1126, whichprecedes and is connected to firewall 1048, which likewise precedes andis connected to Layer 2/3 core switch ‘A’ 1002. In this illustration,IPS-protected network area 1160 does not include Layer 3 distributionswitches ‘A’ 1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012, Layer 2 access switches‘A’ 1028, ‘B’ 1030, ‘C’ 1032, ‘D’ 1034 ‘E’ 1036, or their respectiveaccess ports 1038, 1040, 1042, 1044, 1046.

FIG. 12 is a generalized illustration of an embodiment of the inventionas implemented in a network environment comprising redundantly connectedLayer 2/3 switches to provide a “Bump In Traffic Path” (BITP) IntrusionPrevention System (IPS). In this embodiment of the invention, Layer 3distribution switches ‘A’ 1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012 areredundantly connected to Layer 2/3 core switches ‘A’ 1002 and ‘B’ 1004.IPS ‘A’ 1116 is connected to IPS Edge Controller ‘A’ 1218, which isconnected to Layer 3 distribution switches ‘A’ 1006, ‘B’ 1008, and toLayer 2 access switches ‘A’ 1028, ‘B’ 1030, ‘C’ 1032, respectivelyproviding access ports 1038, 1040, 1042. IPS ‘B’ 1120 is connected toIPS Edge Controller ‘B’ 1222, which is connected to Layer 3 distributionswitches ‘C’ 1010, ‘D’ 1012, and to Layer 2 access switches ‘D’ 1024,‘E’ 1036 respectively providing access ports 1044, 1046.

Protected connectivity to Extranet 1056 is provided through WAN router1054, which precedes and is connected to IPS ‘C’ 1124, which in turnprecedes and is connected to Layer 2/3 core switch ‘A’ 1002. Protectedconnectivity to the Internet 1052 is similarly provided WAN router 1050,which precedes and is connected to through IPS ‘D’ 1126, which precedesand is connected to firewall 1048, which likewise precedes and isconnected to Layer 2/3 core switch ‘A’ 1002. In this illustrationIPS-protected network area 1262 includes Layer 3 distribution switches‘A’ 1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012.

Furthermore, in an embodiment of the invention, an extendedIPS-protected network area 1264 that includes Layer 2 access switches‘A’ 1028, ‘B’ 1030, ‘C’ 1032, ‘D’ 1034, ‘E’ 1036, and their respectiveaccess ports 1038, 1040, 1042, 1044, 1046, is implemented through theuse of private VLANs to place each user in an isolated Layer 2 area asdescribed in greater detail herein. As will be apparent to those ofskill in the art, this approach prevents direct peer-to-peer trafficthrough a Layer 2 access switch. Instead, all traffic is conveyed to aLayer 3 distribution switch, which requires all traffic to first passthrough an IPS Edge Controller and an associated IPS before reaching itsintended destination, thereby providing an extended IPS-protectednetwork area 1264.

FIG. 13 is a generalized illustration of an embodiment of the inventionas implemented in a network environment comprising redundantly connectedLayer 2/3 switches to provide a redundant “Bump In Traffic Path” (BITP)Intrusion Prevention System (IPS). In this embodiment of the invention,Layer 3 distribution switches ‘A’ 1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012 areredundantly connected to Layer 2/3 core switches ‘A’ 1002 and ‘B’ 1004.IPS ‘A’ 1116 and IPS ‘B’ 1120 are redundantly connected to IPS EdgeController ‘A’ 1218 and IPS Edge Controller ‘B’ 1222. IPS EdgeController ‘A’ 1218 is connected to Layer 3 distribution switches ‘A’1006, ‘B’ 1008, and to Layer 2 access switches ‘A’ 1028, ‘B’ 1030, ‘C’1032, respectively providing access ports 1038, 1040, 1042. IPS EdgeController ‘B’ 1222 is connected to Layer 3 distribution switches ‘C’1010, ‘D’ 1012, and to Layer 2 access switches ‘D’ 1034, ‘E’ 1036respectively providing access ports 1044, 1046.

Protected connectivity to Extranet 1056 is provided through WAN router1054, which precedes and is connected to IPS ‘C’ 1124, which in turnprecedes and is connected to Layer 2/3 core switch ‘A’ 1002. Protectedconnectivity to the Internet 1052 is similarly provided WAN router 1050,which precedes and is connected to through IPS ‘D’ 1126, which precedesand is connected to firewall 1048, which likewise precedes and isconnected to Layer 2/3 core switch ‘A’ 1002. In this illustrationredundant IPS-protected network area 1366 includes Layer 3 distributionswitches ‘A’ 1006, ‘B’ 1008, ‘C’ 1010, ‘D’ 1012 and Layer 2/3 coreswitches ‘A’ 1002 and ‘B’ 1004.

Furthermore, in an embodiment of the invention, an extended redundantIPS-protected network area 1368 that includes Layer 2 access switches‘A’ 1028, ‘B’ 1030, ‘C’ 1032, ‘D’ 1034, ‘E’ 1036, and their respectiveaccess ports 1038, 1040, 1042, 1044, 1046, is implemented through theuse of private VLANs to place each user in an isolated Layer 2 area asdescribed in greater detail herein. As will be apparent to those ofskill in the art, this approach prevents direct peer-to-peer trafficthrough a Layer 2 access switch. Instead, all traffic is conveyed to aLayer 3 distribution switch, which requires all traffic to first passthrough an IPS Edge Controller and an associated IPS before reaching itsintended destination, thereby providing an extended redundantIPS-protected network area 1368.

Skilled practitioners in the art will recognize that many otherembodiments and variations of the present invention are possible. Inaddition, each of the referenced components in this embodiment of theinvention may be comprised of a plurality of components, eachinteracting with the other in a distributed environment. Furthermore,other embodiments of the invention may expand on the referencedembodiment to extend the scale and reach of the system's implementation.

1. A system for processing network traffic, comprising: a networktraffic processing device; and an edge controller operable to receivenetwork traffic from a first plurality of ports and to send said networktraffic to a second plurality of ports; wherein said network trafficprocessing device is communicatively coupled to the edge controller suchthat network traffic flowing into said edge controller is directed tosaid network traffic processing device prior to being sent back to saidedge controller.
 2. The system of claim 1, wherein said network trafficprocessing device is a network security device.
 3. The system of claim1, wherein said network traffic processing device is a proxy device. 4.The system of claim 1, wherein said network traffic processing device isa gateway device.
 5. The system of claim 1, wherein said edge controllerbypasses said network traffic processing device, when instructed by aconfiguration agent.
 6. The system of claim 1, wherein said secondplurality of ports comprises IPS ports (I-ports).
 7. The system of claim1, wherein said I-ports comprise outbound ports operable to form anoutbound logical I-port (OLIP).
 8. The system of claim 7, wherein saidOLIP is operable to process outbound packets with 802.1Q tags.
 9. Thesystem of claim 1, wherein said plurality of ports comprise end-pointports (E-ports).
 10. The system of claim 9, wherein said E-ports areoperable to redirect network traffic to an OLIP.
 11. The system of claim10, wherein said network traffic is directed to said OLIP using anaccess control list (ACL).
 12. The system of claim 10, wherein said OLIPis operable to balance inbound network traffic at the flow level betweenports.
 13. The system of claim 4, wherein said I-ports are segmented.14. The system of claim 13, wherein said segmented ports are operable toprovide enhanced traffic management.
 15. The system of claim 14, whereinsaid segmented ports provide load balancing.
 16. The system of claim 14,wherein said segmented ports provide redundancy.
 17. The system of claim1, wherein said edge controller is configured to provide management ofdistributed traffic flow.
 18. The system of claim 17, wherein saiddistributed traffic flows originate from a first network link having afirst transmission speed.
 19. The system of claim 18, wherein saiddistributed traffic from said first network is distributed across aplurality of network links having a second transmission speed, saidsecond transmission speed being less than said first transmission speed.20. The system of claim 19, wherein said distributed traffic flowsoriginating from said first network are processed by a plurality ofnetwork security devices.
 21. The system of claim 18, wherein saiddistributed traffic from said first network is distributed across aplurality of network links having a second transmission speed, saidsecond transmission speed being less than said first transmission speed.22. The system of claim 17, wherein said distributed traffic flowsoriginating from said first network are placed in a bypass mode when thepath to said network security device reaches a predetermined packet lossthreshold.
 23. A system for processing network traffic, comprising: anetwork traffic processing device; and an edge controller operable toreceive network traffic from a first plurality of ports and to send saidnetwork traffic to a single port; wherein said network trafficprocessing device is communicatively coupled to the edge controller viasaid single port, such that network traffic flowing into said edgecontroller is directed to said network traffic processing device priorto being sent back to said edge controller via said single port.
 24. Asystem for processing network traffic, comprising: a network trafficprocessing device; a first edge controller operable to receive networktraffic from a first plurality of ports and to direct said networktraffic to a second plurality of ports; and a second edge controlleroperable to receive network traffic from a first plurality of ports,connected to said first edge controller and to direct said networktraffic to a second plurality of ports; wherein said network trafficprocessing device is communicatively coupled to said second edgecontroller such that network traffic flowing into said second edgecontroller is directed to said network traffic processing device priorto being directed back to said second edge controller.
 25. A system forprocessing network traffic, comprising: a network security device; andan edge controller comprising: a first set of end-point ports (E-ports);a second set of E-ports; and a set of IPS ports (I-ports); wherein saidedge controller is operable to receive network traffic from a first setof plurality of ports and to direct said network traffic to a secondplurality of ports via said set of I-ports; and wherein said networksecurity device is communicatively coupled to said set of I-ports ofsaid edge controller such that all network traffic flowing into saidfirst set of E-ports is processed by said network security device beforethe resultant processed network traffic flows back into said set ofI-ports of said edge controller and out of said second set of E-ports ofsaid edge controller.
 26. The system of claim 23, wherein said edgecontroller is operable to provide multiplexing functionality to enhancethe throughput of said network traffic.
 27. The system of claim 23,further comprising a plurality of security devices, wherein said firstand second sets of E-ports each comprise a single E-port pair and saidset of I-ports comprises a plurality of I-ports communicatively coupledto said plurality of security devices.
 28. The system of claim 26 or 27,wherein said first and second sets of E-ports are communicativelycoupled to a communication channel having a first data throughput rateand wherein said set of I-ports are communicatively coupled to saidsecurity device via communication channels having a second datathroughput rate that is higher than said first data throughput rate.